Almost 9 in 10 Firms Remain Vulnerable to Cyber Risks

The KYND report underscores a stubborn reality: most organizations fail to remediate known flaws promptly. Analyzing over 2,000 enterprises—including FTSE 350 and S&P 500 constituents—the study found that 88 % of firms with identified vulnerabilities remained exposed for at least six months. This persistence mirrors earlier industry surveys that flagged patch fatigue, yet the scale reported by KYND suggests a widening gap between detection and remediation. Remote code execution (RCE) emerged as the leading flaw, accounting for nearly a third of critical issues, highlighting how a single class of bugs can jeopardize diverse technology stacks from Oracle to WordPress.

From a financial perspective, prolonged exposure reshapes the cyber‑insurance landscape. Insurers traditionally priced policies on the sheer number of vulnerabilities, but KYND’s founder Andy Thomas warns that remediation speed now serves as a behavioral indicator of underlying risk management maturity. Portfolios laden with firms that habitually delay patches exhibit stacked exposures, inflating loss‑adjustment expectations and prompting higher premiums or stricter underwriting terms. Moreover, recent high‑profile exploits—such as the October 2025 Windows Server Update Services flaw—demonstrate how quickly threat actors can weaponize unpatched code, turning a manageable issue into a costly breach.

Enterprises can curb this exposure by embedding continuous patch management into their security operations. Automated vulnerability scanning paired with prioritized remediation workflows reduces the window of exploitability, especially for RCE‑type bugs. Governance frameworks that tie patch timelines to executive accountability further align IT actions with board‑level risk appetites. For insurers, integrating real‑time remediation metrics into underwriting models offers a more granular view of portfolio health, encouraging policyholders to adopt faster fix cycles. Ultimately, narrowing the six‑month remediation gap will lower breach likelihood, protect critical infrastructure, and stabilize cyber‑insurance pricing.